According to the spyware’s product details, uploaded to document cloud by Claudio Guarnieri, Head of Security Lab at Amnesty International, Pegasus is meant to infiltrate smartphones silently and work on three things -- collect historic data on device, continuously monitor activity and transmit this data to a third party.
Other than Android and iOS systems, Pegasus can also penetrate Symbian and BlackBerry-based devices. The malware can infect devices via phishing text messages that trick users into clicking a particular link, using the over-the-air update system and more. In WhatsApp’s case, it used a vulnerability in the app that allowed infection through missed video calls. This security gap was plugged by WhatsApp back in May this year.
The same was confirmed by WhatsApp’s Global Head, Will Cathcart, through an op-ed in the Washington Post.
In all forms of installations, the spyware completes the process in the background, completely out of the user’s notice. This, combined with the fact that Pegasus doesn’t require the user’s attention is one of the reasons why the spyware is so dangerous and popular amongst security contractors.
The iOS version of this spyware was found first (in 2016), while it was revealed to be on Android too, by security firm Lookout, at the Security Analysts Summit, 2017. Chrysaor, is the name assigned to the Android version of Pegasus by Google.
Lookout’s technical analysis of Pegasus and the product document shared by Guarnieri, both clarify one thing -- that WhatsApp isn’t the only sufferer. Its reach spreads much beyond that. “As for surveillance, let’s be clear: We’re talking total surveillance," wrote security firm Kaspersky in a blog post.
Once on your phone, Pegasus has access to data that’s already on your phone, including photos, videos, text messages, email apps, browsing history, contact list, location, files, other messaging apps (like Viber, Skype, Messenger) etc. It can also listen to you and sounds around you through the phone’s microphones, record incoming and outgoing calls, capture screenshots and use the phone’s camera to take photos.
Further, Pegasus doesn’t transmit data when a smartphone is on roaming unless it’s on WiFi. This is of course done to hide its tracks, since users might notice high data usage bills while roaming. Instead, the spyware collects and stores data on your phone in an encrypted buffer, waiting to transmit it once you’re out of roaming. It does the same when the phone doesn’t have an active Internet connection or is at under 5% battery.
To ensure you never find out, Pegasus is designed to never use more than 5% of the free space on your phone. So, if you have 10GB of free space the malware will use only about 500MB at a time, something that’s near impossible to detect on a smartphone, even if you’re checking. Pegasus removes data on a first in first out basis if it hasn’t been able to transmit to its servers for a while.
NSO has created an “intuitive" front-end for users of Pegasus to parse through the data they gather. This allows operators of the programme to easily sift through the tonnes of data they might be getting through Pegasus.
Interestingly, there’s no real way to avoid a Pegasus attack other than the regular best practices. Security experts have repeatedly advised against downloading suspicious files, clicking on unknown links etc. and those remain the best way to fight this malware.
Here are some of the famous surveillance programs:
RCSAndroid: An Android surveillance tool designed by Milan-based company, Hacking Team. It is a data collection tool sold to law enforcement and government agencies. It was disguised as a news app on the Play Store and somehow escaped Google’s security scans.
DROPOUTJEEP: A program which was revealed to have been the go to tool for the US’ National Security Agency (NSA), allowing it to compromise Apple’s iPhones. It could access files on the device, read SMS texts, voicemail messages and more.
XKeyscore: The NSA, in its training material, called this its “widest reaching" system for gathering intelligence off the Internet. XKeyscore was amongst the programs revealed by whistleblower Edward Snowden.
Livestrong: An exploit used by the US Central Intelligence Agency (CIA) to compromise devices running on Android 4.4 KitKat, revealed by WikiLeaks as part of the famous Vault7 data dump.